CoinEx Hot Wallet Drain

On September 12, 2023 — eight days after the Stake.com heist — the Hong Kong-based exchange CoinEx detected unauthorised outflows from its hot wallets. Total losses: ~$54 million across at least ten blockchains. ZachXBT's on-chain analysis linked the laundering paths to the same operator as Stake, with both incidents subsequently attributed to Lazarus Group.

What happened

CoinEx's private keys for multiple hot wallets across multiple chains were exposed — the exact vector was not publicly disclosed, but the on-chain pattern is the same Lazarus signature seen in the DMM Bitcoin, Phemex and Stake.com operations: simultaneous coordinated withdrawals across multiple chains, immediate cross-chain bridging into mixers, and consolidation through a known set of laundering addresses.

SlowMist's breakdown of the loss:

• ~$18M in ETH
• ~$11M in TRX
• ~$6M in BNB
• ~$6M in XRP
• ~$5.9M in BTC
• ~$2.5M in SOL
• ~$5M across MATIC, XDAG, KDA, BCH

ZachXBT's wallet analysis showed direct reuse of laundering addresses across the CoinEx and Stake.com proceeds — strong evidence that the same operator was running both campaigns in the same weeks.

Aftermath

• CoinEx paused withdrawals within hours and announced 100% compensation from corporate reserves.
• Withdrawals were progressively restored over the following two weeks as keys were rotated and hot-wallet infrastructure rebuilt.
• The funds were laundered through cross-chain bridges; no public recoveries.

Why it matters

CoinEx is one bookend of a tight cluster of Lazarus exchange operations in late summer 2023 — Stake.com on September 4, CoinEx on September 12, Mixin Network on September 23 — that collectively drained over $295M across three weeks. The cluster confirmed Lazarus had transitioned from primarily targeting DeFi protocols to systematically targeting centralised exchanges with weak hot-wallet hygiene — a pattern that intensified through 2024 and culminated in the Bybit heist eighteen months later.